TOR bundle 4.0.4 was released. When I tried to validate my download I was unable to do so. Erinn Clark is no longer signing the TBB releases. The developers are now using the key below. It clearly states so on the TOR site. I thought I downloaded a bad package but TOR just changed the signing key. For linux users its simple to add using terminal: Developer signs the Tor Browsers. Import the key (0x4E2C6E8793298290) by starting the terminal and typing: gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 After importing the key, you can verify that the fingerprint is correct: gpg --fingerprint 0x4E2C6E8793298290 You should see: pub 4096R/93298290 2014-12-15 Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 uid Tor Browser Developers (signing key) <torbrowser@torproject.org> sub 4096R/F65C2036 2014-12-15 sub 4096R/D40814E0 2014-12-15 sub 4096R/589839A3 2014-12-15
On a related note I am soliciting opinions and experience. After studying the TBB "internal updater" it appears that there might be a security risk to internally updating your TBB version. To me it looks like the CA selected by the updater could be suspect since it relies upon a CA selection. It does not work like validation of a whole download via gpg. I have no working proof, its just that the process appears to have a weakness. It is being discussed at TOR. I hear rumors that the new alpha's are testing a full gpg validation during the internal update. Staying tuned! After looking at this I have decided to always (for now anyway) use a full download and then gpg validate the package. From there I'll disburse as needed. Another convenience (internal updater) vs security debate. How are you guys handling the version updates? I am betting most take the easy/quick route and internally update.
I always manually download the new realise version TBB from the official website. I never have used the updater. To me I like a fresh install.
I also think there is something to be said for a fresh start via a new version package. The hassle is re-doing any special configs. Notably, I don't know why TOR sends the bundle with no script set open. The first thing I do is close it. I do know their argument but it doesn't make sense to me. J_L, do you always run TOR in RAM? I can see times for a "tails like" approach. How are you running the rest of the time (trying to learn not be invasive)? How is what you are doing any different than just running TAILS?
I always do, because I rarely use it. The rest of the time, I treat everything as public info or at least government-aware. Running TAILS would be overkill and less convenient as you have to reboot (and might not have fully hardware support). Of course, NoScript is enabled and downloads are all stored on the RAM disk as well before encryption or proper storage.